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The amount of illegal cryptocurrency mining that is now taking place makes keeping track 
a difficult task, but here is a quick roundup of what was has been spotted over the last few 
days. 



The amount of illegal cryptocurrency mining that is now taking place makes keeping track a difficult 
task, but here is a quick roundup of what was has been spotted over the last few days. 

• Cisco Tabs has detailed a six-month long investigation into a specific mining campaign that 
used phishing scams, tied to Google Ad words to lure victims that stole tens of millions of 
dollars. 

• Meanwhile, Trend Micro has found and explored miners exploiting two vulnerabilities found in 
Apache CouchDB to install cryptominers on systems. 

• A third method making news is the Trickbot trojan being used to create a man in the middle 
attack to steal credentials from people as they purchase bitcoin. 

Tabs' research found the criminal grop, dubbed CoinHoarder, buying Google Ad Words linked to 
search terms associated with cryptocurrency, such as blockchain or Bitcoin wallet. The ads then 
appear near the top of a search page as an advertisement for a Bitcoin wallet site. However, the link 
provided in the ad takes victims to a professional looking, but malicious, landing page, such as 
blockchain.info. Once on the landing page the victim is served phishing information in the person's 
native language, as based on the IP address that would enable the thieves to remove bitcoin from 
their wallets. 

“The reach of these poisoned ads can be seen when analysing DNS query data. In February 2017, 
Cisco observed spikes in DNS queries for the fake cryptocurrency websites where upwards of 
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200,000 queries per hour can be seen during the time window the ad was displayed,” Talos wrote. 

Most of the victims were from non-English speaking nations, with particular attention paid to those in 
Africa and other developing countries where banking is difficult and local currencies unstable making 
Bitcoin a 'safe' haven. 

This method is so efficient that Talos believes Coinhoarder has stolen more than US$ 50 million (£36 
million) over the last three years. The group greatly benefited from Bitcoin's recent skyrocketing 
valuation. To keep the scam running all that is done is purchase more Ad Words. 

While Trend Micro did not have a monetary amount stolen by those using the Apache CouchDB 
vulnerabilities, the number of detected attacks has spiked during the last three weeks. 

The flaws at issue are Apache CouchDB JSON Remote Privilege Escalation Vulnerability (CVE-2017- 
12635) and Apache CouchDB _config Command Execution (CVE-2017-12636). Both of which were 
patched in November 2017. 

Trend found that CVE-2017-12635 is first exploited to configure a CouchDB account with admin 
abilities which is then used to authenticate the remote code execution flaw in CVE-2017-12636. Once 
inside a system the malware injected detects and disables competing miners and then downloads and 
executes Coinhive. 

CouchDB is a somewhat popular data base management system and is used by some large 
corporations giving those looking to take advantage of unpatched systems access to some pretty 
powerful resources, Trend noted. 

“However, in our view, the system being targeted is not as important as the existence of vulnerabilities 
that can be exploited,” the report said, “As long as there's a chance to exploit an RCE (remote code 
execution), the threat actors will take advantage of it.” 

Using a remote code execution flaw to run a cryptominer is even more attractive because it is a low- 
risk operation, but also high reward because the price of the various digital currencies are climbing. 

The TrickBot trojan began its life attacking banking and financial interests, but IBM's X-Force Team 
has found the group behind it has expanded into the cryptocurrency stealing business. This particular 
case has TrickBot being used to place itself in the middle of a cryptocurrency transaction and steal 
from those purchasing Bitcoin and Bitcoin cash using a credit card. 

“This particular attack targets both the bitcoin exchange website and that of the payment service to 
grab the coins and route them to an attacker-controlled wallet,” X-Force said. 

TrickBot is a great tool here, IBM said, as it is uses webinjections to implant itself in both the bitcoin 
wallet and payment card websites where it can grab the information needed to steal the currency. 
Unlike the Ad Words scam, TrickBot requires a relatively high level expertise from the criminal. 

“Having researched the attack tactics TrickBot applied to this cryptocurrency coin theft, we can see 
that, while it relies on existing mechanisms, the scheme required extensive research of the targeted 
sites, their web logic and the security controls they use,” IBM said. 
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